Posted on 05-02-2016 11:12 PM
Hi All,
Anyone show me how to add a user to AD via a script, and then add this to a specific OU?
I know how to add a user to local machine using dcsl
This would be part of my first run script after machine has booted
What I require is to have the MAC address as the username in AD stripped of the ":"
thanks in advance :)
Posted on 05-03-2016 02:44 AM
Hi, are you talking about creating users in AD from the Mac? dscl could possibly do it but I've never heard of anyone doing it that way. Scripting it in powershell on a Windows server would be a more typical route.
Posted on 05-03-2016 03:01 AM
You never used to be able to have usernames that start with a number. If it's been allowed, I'd personally avoid it. You may wish to re-think.
Posted on 05-03-2016 03:34 AM
The whole idea would be to have a machine use this account for MAC address bypass. The way the sys admins have set this up is to have the MAC address as user in AD then radius would allow machine into correct VRF.
As we do not use certificate based 8021x wired authentication I am finding it very difficult to get it working just using PEAP as the radius server is dropping the authentication.
1 of the options I want to put forward is to have the labs build with Casper, grab the MAC address and create an AD account.
I would love to be able to re-think but I have a requirement for Machine based authentication so machines are not sitting in a quarantine VRF.
Posted on 05-03-2016 04:15 AM
Are you confusing usernames with computer names?
Posted on 05-03-2016 04:30 AM
Let me put in another way. If you want mac address user/password in AD to allow access to your network you probably don't want to allow a mechanism that allows client machines to do this.
You'd probably want to script this AD server side and pass a list of mac addresses to the server.
Alternatively use certificates.
Posted on 05-03-2016 03:15 PM
@sean nope, not confusing usernames with computer names, I need to have a MAC address as a User in AD.
As the mechanism for adding would be a static group in Casper it would not be that difficult to manage.
I will test some dscl commands to see what happens.
Posted on 05-03-2016 04:16 PM
If you use a domain admin account with relevant permissions to edit AD, then yes you can script this. That will involve a username and password in clear text that has this level of permission to edit your AD! Is the cost of the security of your AD worth the gain of your wifi security?
This is why I suggested doing a script server side and use Casper to export the mac addresses to pass to the script on the server.
Of course this doesn't prevent access by mac address spoofing, which is why certificates are a better option.